«Cf., Skinner v. Railway Labor Executives’ Ass’n, 489 U.S. 602, 641 (1989) (Marshall, J., dissenting) (“There is no drug exception to the ...»
No Computer Exception to the Constitution:1
The Fifth Amendment Protects Against Compelled
Production of an Encrypted Document or Private Key
By Aaron M. Clemens 2
Computer Crime Seminar
Georgetown University Law Center
Professors Richard Salgado 3 & Christian Genetski 4
Cf., Skinner v. Railway Labor Executives’ Ass’n, 489 U.S. 602, 641 (1989) (Marshall, J., dissenting)
(“There is no drug exception to the Constitution, any more than there is a commu nism exception or an exception for other real or imagined sources of domestic unrest.”); Hartness v. Bush, 919 F.2d 170, 174 (D.C. Cir. 1970) (Edwards, J., dissenting) (“Faced regularly with the grim results of the illegal drug trade, the judiciary may well be tempted to offer aid to the Government in its War on Drugs. But no matter how pressing the perceived need, the judiciary is simply without authority to trim back the Fourth Amendment. There is, and can be, no ‘drug exception’ to the Fourth Amendment.”).
B.A. 2001, University of Nevada, Las Vegas; J.D. candidate, Spring 2004, Georgetown University Law Center. Special thanks to the staff of the UCLA Journal of Law and Technology as well as GULC Adjunct Professors Richard Salgado and Christian Genetski for their encouragement and supervision of this article. The views expressed herein are my own, as are any errors or omissions.
Richard Salgado, Adjunct Professor of Law, Georgetown University Law Center; Senior Counsel, Computer Crime & Intellectual Property Section, U.S. Department of Justice.
Christian Genetski, Adjunct Professor of Law, Georgetown University Law Center; Partner, Sonnenschein, Nath & Rosenthal L.L.P.
The U.S. Constitution’s Fifth Amendment privilege against self- incrimination prevents the government from compelling a person to decrypt or reveal the private key to decrypt her electronic documents absent two circumstances. 5 The government must either prove, by clear and convincing evidence, that the three-prong test in Fisher v. United States6 has been met, or provide use and derivative- use immunity for such production.
I. The Need For Computer Security Unauthorized access to comp uter files has been a problem since the computer’s advent. 7 Unauthorized access allows identity theft, fraud, and the revelation of intimate secrets. 8 These Joe Baladi, Comment, Building Castles Made of Glass-Security on the Internet, 21 U. Ark. Little Rock L.
Rev. 251, 275-76 (1999) (“The Fifth Amendment protections are implicated in that, absent mandated key recovery, the government would have to compel disclosure of the encryption key. If the encrypted communication is incriminating, then the disclosure of the key triggers the protection of the Fifth because the government is compelling access to the incriminating testimonial communication.”) (Citing Privacy in the Digital Age: Encryption and Mandatory Access, 1998: Hearings before the Subcommittee on the Constitution of the Senate Committee on the Judiciary, 105th Congress (1998) (statement of Kathleen M. Sullivan, Professor, Stanford Law School)); See
Greg S. Sergienko, Self Incrimination and Cryptographic Keys, 2 Rich. J.L. & Tech. 1, 72 (1996):
Cryptography may provide a technical fix for Supreme Court decisions allowing the invasion of one’s private papers. However, the effectiveness of that fix will depend on whether the Court holds that use immunity from the compulsory production of a cryptographic key extends to the incriminating documents decrypted with the key. Logic suggests that the Court should so hold.
See also Richard A. Nagareda, Compulsion “To be a Witness” and the Resurrection of Boyd, 74 N.Y.U. L.
Rev. 1575, 1580 (1999):
The application of the Fifth Amendment turns upon the meaning of the phrase ”to be a witness.” It is the compulsion of a person to assume “witness” status that violates the Fifth Amendment. The phrase “to be a witness” in the Fifth Amendment is best understood as synonymous with the phrase “to give evidence” used in the proposals for a bill of rights formulated by state ratifying conventions upon consideration of the original Constitution. The compulsion of a person to produce self-incriminatory documents is literally the compulsion of that person “to give evidence” against himself--that is, to turn over documents for possible use as incriminatory evidence in a subsequent criminal trial.
425 U.S. 391 (1976).
Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U.L. Rev. 1596, 1597 (2003) (“In the last quarter century, the federal government, all fifty states, and over forty foreign countries have enacted computer crime laws that prohibit ‘unauthorized access’ to computers.”(citations omitted)); see also, e.g., United States v. Kelly, 507 F. Supp. 495 (E.D. Pa. 1981) (Finding private company employees’ use of a company’s computer for personal benefit defrauded their employer of their honest and faithful performance of their duties as employees and violated the mail fraud statute). See generally, Alois Valerian Gross, Criminal Liability for Theft of, Interference with, or Unauthorized Use of, Computer Programs, Files, or Systems, 51 A.L.R.4th 971 (2003).
See, e.g., Andres Rueda, The Implications of Strong Encryption Technology on Money Laundering, 12 Alb. L.J. Sci. & Tech. 1, 32-33 (2001) (“[F]or technologically savvy criminals, online credit card fraud can be remarkably effective. … For example, the numbers of over 100,000 credit cards issued by 1,214 different banks were stolen by a single cyberthief using ‘packet sniffers,’ or ‘virus-like programs that surreptitiously hunt through networks’ in search of specific types of information, such as credit card numbers.”).
potential problems are exacerbated for lawyers, who have an ethical duty to protect their clients’ privileged information. 9 Without updated security to match snooping possibilities, the use of computers for client matters may soon, in effect, waive the attorney-client privilege. 10 Despite this emerging insecurity, the computer, like the telephone, has evolved into a personal and professional necessity for many people. 11 Ubiquitous portable high-speed wireless Internet is now a reality for many in America. Increasingly, actual face-to- face conversations are replaced by virtual face-to- face conversations, even between parents and children within voice range of each other. 12 As computers are increasingly used for communication, privacy concerns are heightened. 13 Just as telephone use does not forfeit a person’s expectation of privacy, 14 computer Lawyers have a duty to maintain client confidentiality and many lawyers have integrated the convenience of e-mail and cell phone communication into their business routine. Without improvements in security, using computers to send e-mail or voice mail for confidential attorney-client communications may constitute waiver of
privilege because these messages are so easily intercepted. See A. Michael Froomkin, The Metaphor is the Key:
Cryptography, the Clipper Chip, and the Constitution, 143 U. Pa. L. Rev. 709, 724 (1995):
[T]he ease with which intruders can gain access to unprotected computers that can be accessed via the Internet means that unencrypted data on such machines is at risk … [t]he ease with which these [messages] can be overheard or intercepted, combined with the growing simplicity of encryption software, make it conceivable that failure to use encryption may be considered a waiver of privilege at some point in the future (at least for insecure media such as electronic mail and cellular telephones).
See also Sherry L. Talton, Note, Mapping the Information Superhighway: Electronic Mail and the Inadvertent Disclosure of Confidential Information, 20 Rev. Litig. 271, 279 (2000) (“Electronic mail is an insecure medium.”); Robert A. Pikowsky, Article, Privilege and Confidentiality of Attorney-Client Communication Via Email, 51 Baylor L. Rev. 483, 578 (1999) (“There seems to be little or no debate as to the degree of privacy that one
can reasonably expect in unencrypted e-mail.”); R. Scott Simon, Note, Searching for Confidentiality in Cyberspace:
Responsible Use of E-mail for Attorney-Client Communications, 20 U. Haw. L. Rev. 527, 545 (1998) (“[E]ncryption seems to be a viable answer to the concern about insecurity on the Internet.”).
Froomkin, id. (Footnotes Omitted) (“Every lawyer knows that she should never discuss client confidences in a crowded restaurant … Unfortunately, the ease with which electronic mail messages can be intercepted by third parties means that communicating by public electronic mail systems, like the Internet, is becoming almost as insecure as talking in a crowded restaurant.”).
See, c.f., Smith v. Maryland, 442 U.S. 735, 750 (1979) (Marshall, J., dissenting) (Finding that telephone usage has “for many has become a personal or professional necessity” and thus there is no choice for people to accept the risk of surveillance or give up this medium of communications to preserve their privacy because “as a practical matter, individuals have no realistic alternative.”) John Schwartz, That Parent-Child Conversation Is Becoming Instant, and Online, N.Y. Times, Jan. 3, 2004, A1 (“Almost three-quarters of all teenagers with online access use instant messaging and about half of all adults have tried the services, surveys show... [Instant messaging is] an old idea that’s been made practical...
Instead of yelling downstairs, `Hey, is there any fried chicken left?’ You can I.M. downstairs.”).
David Kahn, The Codebreakers: The Story of Secret Writing, at 983 (1996) (“The need to protect the ever-growing number of files as communications expands at its present lighting rate in e-mail, the World Wide Web and other functions of the Internet, internal business networks, and cellular telephones explains why more than a use must not forfeit a person’s expectation of privacy. Therefore, for computers to reach their full potential, unauthorized access to computers must be reduced. 15 Efforts are underway to alleviate computer security concerns. Secret passwords have long protected access to computer resources and computer files. 16 But, due to advances in cybersnooping, basic alpha- numeric passwords alone can no longer assure security. 17 Cryptography is one answer to the security problem. Cryptography is the ancient art of preventing unauthorized access to messages by improving the use of basis passwords. 18 Modern cryptology, 19 such as the public and private key system, can ensure computer security. 20 Public/private key cryptography allows the exchange of secure messages. The process begins when a sender encrypts a message using the public key of the intended recipient. Both the thousand firms now offer cryptological systems for data, voice, and fax, why manufacturers are now building them into the software packages they sell.”) See, e.g., Katz v. United States, 389 U.S. 347 (1967).
Kahn, id. (Footnotes Omitted); see also Rueda, supra note 8, at 4 (“[S]trong encryption and related technologies are a crucial aspect of the future development of electronic commerce.”); Joel C. Mandelman, Article, Lest We Walk Into the Well: Guarding the Keys-- Encrypting the Constitution: To Speak, Search & Seize in Cyberspace, 8 Alb. L.J. Sci. & Tech. 227, 236-37 (1998) (“[I]t is essential for certain transactions to be encoded to prevent their interception or fraudulent alteration. This issue is of critical importance to the computer and banking industries, as well as the overall American economy.”).
C. Ryan Reetz, Note, Warrant Requirement for Searches of Computerized Information, 67 B.U.L. Rev.
179, 206 (1987) (“In most cases, the risk of unauthorized access to computer files by third parties is minimized by access control systems requiring passwords or restricting use to certain users.”).
Kevin R. Pinkney, Putting Blame Where Blame is Due: Software Manufacturer and Customer Liability for Security-Related Software Failure, 13 Alb. L.J. Sci. & Tech. 43, 52 (2002) (“[A] determined intruder might attempt to crack the password by trying every word in the dictionary. Such ‘brute-force’ attacks regularly succeed.”) (Citing Michael Lee et al., Comment, Electronic Commerce, Hackers, and the Search for Legitimacy: A Regulatory Proposal, 14 Berkeley Tech. L.J. 839, 851 (1999)).
Kahn, supra note 13, at 80, 82, 93 (Explaining that Daniel, of the Christian Bible and the Jewish Torah, was “the first known cryptanalyst,” a renown he gained by interpreting the writing on a wall for the Babylonian Emperor Belshazzar; that as early as the fifth century B.C. the Spartans “established the first system of military cryptography;” and that “Cryptology was born among the Arabs” and that the word “cipher” comes from the Arabs.); Rueda, supra note 8, at 15 (“Cryptography ‘is an ancient science, and was used by Roman emperors to send secret messages.’”).
Kahn, id. at xv (Cryptological methods “do not conceal the presence of a secret message but render it unintelligible to outsiders.”); see also Rueda, id. at 17 (“Cryptography is a technology that disguises messages using codes, ciphers, and algorithms, so that only the intended recipient can access its meaning.”).
Kahn, id. at 983 (“Cryptology plays a role in [improving computer security] because it is the only technology that, if good enough, can block access to files in storage or in transit. Passwords can be encrypted so that they cannot be read even if the file in which they are stored is accessed. Files can be encrypted so that their contents can remain secret.”).
public and private keys consist of an arrangement of letters, numbers, and symbols. A public key21 can be made public without fear of undermining the security of a message encrypted with it. 22 Only a viewer of the message with the right private key can decrypt the message. 23 Without this private key, the encrypted information is incomprehensible. To illustrate, I may encrypt this article using my brother’s public key, 24 and send it to him. 25 In turn, he could use my public key to encrypt his replying comments. If our private keys remain private, we are assured of security. 26 Modern technology briefly took away privacy, 27 but subsequently recreated it. 28
See Rueda, id. at 20-21 (Footnotes Omitted):