As CAAF continues to deliberate on the interlocutory prosecution appeal in United States v. Mitchell, No. 17-0153/AR (CAAFlog case page) (argued on Tuesday, April 4, 2017), involving suppression of the contents of the accused’s cell phone because military investigators continued to question him after he requested an attorney and that questioning led to the phone’s decryption, a Marine judge advocate’s student note in the Georgetown Law Technology Review is of interest.

In Cracking the Code: The Enigma of the Self-Incrimination Clause and Compulsory Decryption of Encrypted Media, 1 GEO. L. TECH. REV. 247 (2017) (available here), Jason Wareham concludes that:

the act of decrypting a hard drive is protected by the Fifth Amendment, as the act of decryption, not just the sharing of the password, is itself testimonial. Decrypting is testimonial logically because it provides access to files no other person can know of or otherwise access. The act of encryption is an admission proving both the existence of the accused’s files, and the accused’s possessory relationship to these files. Since only the person who encrypted an item would have the key to decrypt it (presuming the knowledge-based password), it shows possession, dominion, or control. Finally, the accused’s act of production would be a necessary link in the authentication for the files should the prosecutor seek to have the evidence admitted in court, as no one but the accused would be able to confirm that the files produced are indeed the accused’s files.

Wareham suggests that “the jurisprudence governing compulsory decryption is poised to devolve into an indiscernible morass,” and that “there is no discernible rule, standard, or analysis emerging for the use of the act of production or foregone conclusion doctrines as applied to encryption.” So, two are suggested:

First, as a legal principle, practitioners, governments, and courts alike should accept that compelling an individual to either produce a password or to compulsorily decrypt their digital files in a private knowledge-based-key scheme is presumptively a testimonial act. . . .

[Second] if the decrypted files are not cumulative then they add something to the government’s case. If they add something to the government’s case, then the decrypted files are a link in the chain of evidence against the accused. If the decrypted files are a link and the decryption comes from the accused, then his self-incrimination right has been infringed because he was compelled to join that chain.

CAAF may well avoid this morass in Mitchell by applying the plain and relatively-simple language of Mil. R. Evid. 305(c)(2) that any evidence derived from an interrogation after a suspect requests counsel is inadmissible unless counsel was provided. I suggested this approach in my argument preview.

17 Responses to “Scholarship Saturday: The Enigma of the Self-Incrimination Clause and Compulsory Decryption of Encrypted Media”

  1. stewie says:

    So, an accused is suspected of having child porn on computer, but encrypts it, so if they seek an attorney, then the computer can’t be searched?
     
    All sorts of tangible objects are incriminatory, including things in vaults. I’m not sure why computer data isn’t treated more as a “thing” than “testimony.” Well, it is, I just mean in this argument.

  2. ResIpsaLoquitur says:

    It’s not that the computer can’t be searched.  It’s that law enforcement hasn’t gotten smart enough in many cases to access the contents without the encryption password.  Practically speaking, it turns out like this:
    Cops: “You have the right to remain silent, but we have this search warrant to check your computer.”
    Suspect: “Well, ok.  But I’m taking the fifth and I want a lawyer, so I’m not helping you.”
    Cops: “Fine, but give us the key to the desk you locked the comptuer in.”
    Suspect: “It’s over there.”
    Cops: “Now tell us the password to your computer.”
    Suspect: “What? No! I’m invoking your right to silence!”
    Cops: “You can remain silent, that’s cool.  But you have to tell us the password.”
    See the problem here?

  3. DCGoneGalt says:

    So you have the right not to incriminate yourself unless law enforcement really needs the information to get what they want. 
     
    In other words, you don’t have to tell me the story of the murder . . . but you do have to walk me to the murder weapon and the body. 
     
    The correct answer when told to turn over the password is “No.  Oh, and GFY”. 

  4. JP Stevens says:

    ResIpsa,
     
    Is there a difference between giving the cops a key and telling the cops the combination to a lock?  See US v. Hubbell
     
    Would it be legal for a Commander to order a Servicemember to unlock his wall locker during a health and welfare inspection? See U.S. v. Smidutz, 19 C.M.R. 888, 889 (A.F.B.R. 1955)
     
    Would it be a legal or illegal order for a Commander to order a Servicemember when served with a valid search and seizure warrant for his cell phone to unlock his phone to facilitate the search?  See U.S. v. Smidutz, 19 C.M.R. 888, 889 (A.F.B.R. 1955)
     
    With regards to encryption, compare In re Grand Jury Subpoena Duces Tecum Dated Mar. 25, 2011, 670 F.3d 1335, 1337 (11th Cir. 2012) with U.S. v. Apple MacPro Computer, 851 F.3d 238, 247 (3d Cir. 2017).
     
    For practitioners, if ordering a Servicemember to decrypt a phone containing child porn by entering a passcode is legal, then what do you do when that smart Servicemember lawyers up and asks you whether he should unlock his phone?  If the order to enter the passcode is legal, then could a TDS attorney ethically advise his client to refuse to obey the lawful?  Because I’d rather be convicted of an Article 92 offense as opposed to an Article 120 offense which carries with it a lifetime of sex offender registration. 
     

  5. Vulture says:

    An ethical discussion would involve the basis for knowing whether there was anything on the drive/phone/encrypted device at all.  See Here for you appropriate BAR.  On the basis of Judge Ryan’s latest opinion, lawyer up and take the “warrant to TDS.” 

  6. Tuck Mutwigginberry says:

    The commander can do a lot of things law enforcement cannot.  Just call it an inspection and let the commander do it.  Problem solved.

  7. DCGoneGalt says:

    An inspection to get into a personal hard drive or cell phone that has no connection to a military purpose?  Suuuuuure. 
     
    The response remains “GFY”.

  8. CombatArms says:

    Tuck is right.  Let the commanders take care of this stuff.  Don’t get the pencil pushers involved.  And when Joe tells his commander to “GFY,” ole Joe might just get what cops call “a little stick time.”  And then Joe’s computer gets searched anyway.

  9. Zachary D Spilman says:

    Don’t forget United States v. Kelly, 72 M.J. 237, 244 (C.A.A.F. May 23, 2017) (CAAFlog case page):

    SSgt RM’s search of Kelly’s laptop for “gore,” “inappropriate,” and “porn” amounted to a specific search for contraband which, once discovered, was turned over to CID pursuant to JPED’s established protocols. The search was not conducted to ascertain Kelly’s “readiness to carry out his military duties.” See Kazmierczak, 16 C.M.A. at 600, 37 C.M.R. at 220. SSgt RM testified that his review of the laptop was a “rush job” because Kelly, who was medically evacuated out of Iraq, “wanted his PE back.” Thus, there was no concern over Kelly’s ability to carry out his military duties and his PE was to be returned directly to him. On balance, the government intrusion into Kelly’s privacy interest in his computer was not outweighed by “legitimate governmental interests.” See Lafayette, 462 U.S. at 644.

    Further, JPED’s search under the auspices of AR 638-2 did not produce anything resembling an inventory — once the articles were searched they were simply shipped out. This is in conflict with the primary purpose of a traditional inventory. See, e.g., Wells, 495 U.S. at 4 (“[t]he policy or practice governing inventory searches should be designed to produce an inventory.” ) Indeed, even if AR 638-2 was applicable under the circumstances, it does not classify the search for inappropriate items as an inventory. The section of the regulation under which SSgt RM conducted the search is titled ” Destruction of PE” and simply states that inappropriate items will be “withdrawn and destroyed.” AR 638-2, para. 20-14.a. The search of Kelly’s laptop for “gore,” “inappropriate,” and “porn,” was not an inventory as proscribed by M.R.E. 313(c).

  10. k fischer says:

    Tuck is right.  Let the commanders take care of this stuff.  Don’t get the pencil pushers involved.  And when Joe tells his commander to “GFY,” ole Joe might just get what cops call “a little stick time.”And then Joe’s computer gets searched anyway.

     
    As a civilian defense counsel, I concur.  Commanders should do one heck of a lot more to gather evidence and abuse lower enlisted folks who are accused of crimes.  In fact, Commanders have been really lazy lately.  I don’t pay taxes, so they can sit around during the afternoon and listen to “All Things Considered.”  And, when did they stop telling their company commanders to prefer charges when their company commanders think the Accused is innocent? 
     
    btw, Gramps, lawyers don’t push pencils anymore.  We type stuff using a “computer” and look stuff up on the “interwebs.”

  11. CombatArms says:

    K fischer, agreed 100%.  You obviously get it.  And it’s not just being “accused” of crime that warrants swift and decisive action.  It’s when the commander knows he’s dealing with a dirtbag.  At the end of the day, our military exists to put little (or big if necessary) pieces of metal in bad guys until they are combat ineffective.  Period.  End of story. 
    As for the pencil pusher comment, I’ll just stick to calling them JAFLs…that term was as accurate when I was leading men as it is today.

  12. Fan Blade says:

    CombatArms must really be awesome at Call of Duty.  Wonder when he got his Chairborne Ranger tab?????

  13. stewie says:

    ResIspa…not according to this quote:
     
    “the act of decryption, not just the sharing of the password, is itself testimonial. Decrypting is testimonial logically because it provides access to files no other person can know of or otherwise access”
     
    I’m fine with the idea that requiring someone to tell you the password is testimonial. Because, well, duh. But this goes beyond that, it says decrypting itself is testimonial because it provides access to files no one else can access. Which is like saying breaking into a locked vault you have a warrant to get into is testimonial.
     
    That’s where you lose me. I am completely on-board with saying you cannot force someone to tell you a password. I’m not on-board with saying that you cannot decrypt something through other means (provided you have a warrant/lawful justification).

  14. DCGoneGalt says:

    Send it to DCFL and they can have it back in, oh, about a gajillion years.  In the meantime, “GFY”.
     
     

  15. JP Stevens says:

    Stewie,
     

    The accused was convicted of barracks thievery. His squadron commander was informed that property of the accused’s barracks-mates was believed to be in the accused’s possession. He determined upon a search. He went to the accused’s room in the barracks and informed the accused that it was believed he had the other men’s property mixed in with his own and that he, the commander, intended to conduct a search of the accused’s effects. Thereupon he asked the accused if he could look at his property. The accused went to his dresser and pulled open the drawers. After inspection of the dresser, the commander requested the accused to lead him to the wall locker. The accused led the party to a locker and unlocked it. All of the items for which the accused was convicted of theft were found in the dresser or locker. The accused was not warned pursuant to UCMJ, Art 31, prior to the search. HELD: The accused’s acts alone constituted statements regarding the offense of which he was suspected. Furthermore, the commander’s request to see the accused’s property constituted an official interrogation by a person subject to the Code of the accused as a suspect. Since the accused received no prior warning pursuant to UCMJ, Art 31(b), it follows that the testimony concerning the accused’s self-incriminatory actions was inadmissible.

     

    U.S. v. Smidutz, 19 C.M.R. 888 (A.F.B.R. 1955)
     
     
    I don’t think that decryption by itself is a testimonial act nor do I think that is the point of Mr. Spilman’s post, but Smidutz would support a Commander or AFOSI agent ordering Joe to enter the passcode to decrypt a phone would be a testimonial act in the military if Joe followed the order by entering his passcode.
     
     
    If Army CID someone got lucky and guessed Mitchell’s passcode, then the decryption that followed would not be testimonial.  But, if Mitchell unlocked the phone based on CID’s order, then it is a testimonial act.
     

     

  16. stewie says:

    I’m simply addressing the first major block quote in the original thread post. If it’s not the point, it’s a central part of it.
    I don’t disagree with anything you say otherwise.

  17. ResIpsaLoquitur says:

    Hey, I am fine with “decription by other means.”  If CID or OSI can hack the computer pursuant to a warrant, that’s their legal ability to do so.  I am *not* fine with ordering the member to surrender the password.  I realize that this is a fine line between self-incrimination and turning over a key, but I err on the side of the member.  And I’m not even a defense attorney. 
    I appreciate that there’s case law which is probably contrary to my position.  I don’t have to like said law even if we’re bound to it.  If “it’s the law” is the moral answer, then nobody had ever complain about Citizens United or Heller or Roe ever again.

Leave a Reply