An appeals court ruled last week that in certain cases, handing over the password to an encrypted hard drive is a form of giving testimony, and is protected under the Fifth Amendment. But that doesn't mean criminals can use password protection to hide evidence -- decryption is only protected if prosecutors don't know what's on the drive.
It's common these days for prosecutors to use the contents of computer hard drives as evidence in cases involving financial and computer crimes. Take the copyright cases from the early 2000s, for example, when the RIAA showed that defendants had downloaded songs to their computers without paying. But last week, the US Court of Appeals for the 11th Circuit set a precedent that could make it harder for the government to prosecute based on electronic evidence in certain cases.
In a nutshell, the court ruled that decrypting the contents of a hard drive can, under certain circumstances, amount to giving testimony. Since the Fifth Amendment to the Constitution protects against self-incrimination, the court concluded, defendants can't be forced to decrypt hard drives to provide potentially incriminating evidence against themselves -- unless prosecutors can prove beforehand that they know what's on the drives. (In theory, government hackers could still attempt to gain access on their own, but well-encrypted drives can take decades to break through brute force.)
In this case, the defendant -- referred to as John Doe -- was suspected of possessing child pornography and compelled to testify before a grand jury in exchange for immunity. The prosecutors had seized encrypted hard drives belonging to Doe, and ordered him to decrypt the drives as part of his testimony. He was told, however, that his immunity did not cover the use of evidence against him. In other words, he could still have been charged based on what was on the hard drives.
Doe refused, invoking his Fifth Amendment privilege against self-incrimination, and was put in prison for eight months for contempt of court. The Circuit Court's ruling vindicates Doe's actions, reverses the lower court's decision to hold him in contempt, and confirms that it would be unlawful to force him to decrypt the hard drives.
There's an important distinction to be aware of here: in Doe's case the prosecutors didn't know what, if any, data, was stored on the seven disks. Thus, the court concluded, Doe's compliance in decrypting the drives would be akin to giving testimony against himself in court. The full verdict includes this line: "We conclude that the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files."
Things would be different if the prosecutors knew for sure what information on the drives and whether it was authentic. In that case, decrypting the files would be the equivalent of handing over a key to a safe, which is not covered by the Fifth Amendment. An example of the latter case occurred just a few days earlier in US v. Fricosu, when a judge ordered the defendant in a bank fraud case to decrypt her laptop computer so that prosecutors could use its contents as evidence against her.
It's important to note that the outcome of the Doe case doesn't mean that criminals can escape prosecution in all cases just by encrypting digital evidence. If prosecutors can show that they have an idea of what's on a drive, as they did in the Fricosu case, a court can still demand that the drive be unlocked and the contents used as evidence. But in murkier circumstances, defendants can't be required to incriminate themselves by decrypting a drive.