Scholarship Saturday: The Enigma of the Self-Incrimination Clause and Compulsory Decryption of Encrypted Media
As CAAF continues to deliberate on the interlocutory prosecution appeal in United States v. Mitchell, No. 17-0153/AR (CAAFlog case page) (argued on Tuesday, April 4, 2017), involving suppression of the contents of the accused’s cell phone because military investigators continued to question him after he requested an attorney and that questioning led to the phone’s decryption, a Marine judge advocate’s student note in the Georgetown Law Technology Review is of interest.
In Cracking the Code: The Enigma of the Self-Incrimination Clause and Compulsory Decryption of Encrypted Media, 1 GEO. L. TECH. REV. 247 (2017) (available here), Jason Wareham concludes that:
the act of decrypting a hard drive is protected by the Fifth Amendment, as the act of decryption, not just the sharing of the password, is itself testimonial. Decrypting is testimonial logically because it provides access to files no other person can know of or otherwise access. The act of encryption is an admission proving both the existence of the accused’s files, and the accused’s possessory relationship to these files. Since only the person who encrypted an item would have the key to decrypt it (presuming the knowledge-based password), it shows possession, dominion, or control. Finally, the accused’s act of production would be a necessary link in the authentication for the files should the prosecutor seek to have the evidence admitted in court, as no one but the accused would be able to confirm that the files produced are indeed the accused’s files.
Wareham suggests that “the jurisprudence governing compulsory decryption is poised to devolve into an indiscernible morass,” and that “there is no discernible rule, standard, or analysis emerging for the use of the act of production or foregone conclusion doctrines as applied to encryption.” So, two are suggested:
First, as a legal principle, practitioners, governments, and courts alike should accept that compelling an individual to either produce a password or to compulsorily decrypt their digital files in a private knowledge-based-key scheme is presumptively a testimonial act. . . .
[Second] if the decrypted files are not cumulative then they add something to the government’s case. If they add something to the government’s case, then the decrypted files are a link in the chain of evidence against the accused. If the decrypted files are a link and the decryption comes from the accused, then his self-incrimination right has been infringed because he was compelled to join that chain.
CAAF may well avoid this morass in Mitchell by applying the plain and relatively-simple language of Mil. R. Evid. 305(c)(2) that any evidence derived from an interrogation after a suspect requests counsel is inadmissible unless counsel was provided. I suggested this approach in my argument preview.