- Spitfire List - http://spitfirelist.com -

Knock, Knock? Who’s There? Either a Strongbox or a Wall Safe. It’s Undecided.

In this post we’re going to take a look at the recent Supreme Court ruling on 4th amendment rights and smartphones and how this ruling could impact the ongoing debate over NSA spying. We’re also going to look at the other side of the coin: the 5th Amendment right against self-incrimination during a time when encryption tools strong enough to thwart law enforcement and the NSA are becoming [1] increasingly mainstream [2]. Is encryption like a strongbox or a wall safe? You might be surprised by just how important that question has become [3].

————-

The Supreme Court made an important, and unanimous, ruling recently regarding the legality of law enforcement officers searching someone’s smartphones during an arrest. The ruling: Warrants are required. The reasoning: Smartphones contain so much information about people’s lives that you can potentially learn more about an individual by searching their smartphone than you would learn while searching their house [4]:

Los Angeles Times
Supreme Court ruling affirms the astonishing power of smartphones

Robin Abcarian

June 25, 2014, 2:34 PM

Wednesday’s unanimous Supreme Court ruling [5] – that officers must obtain warrants in order to search cellphones obtained during the course of arrests – shows the justices’ profound understanding of the way these ubiquitous little devices have practically become appendages of the human body.

Chief Justice John R. Roberts even got a little carried away with that metaphor when he wrote in his entertaining opinion [6] that modern cellphones “are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy.”

Giving police the ability to search a cellphone without a warrant, the court said, is as offensive as the intrusions that led the birth of this country and the creation of its Constitution.

The 4th Amendment, with its protection against unreasonable searches, Roberts said, “was the founding generation’s response to the reviled ‘general warrants’ and ‘writs of assistance’ of the colonial era, which allowed British officers to rummage through homes in an unrestrained search for evidence of criminal activity. Opposition to such searches was in fact one of the driving forces behind the Revolution itself.”

As the chief justice noted, today’s smartphones are not “just another technological convenience.” They are indispensable repositories for exceedingly private details about an individual’s life.

(How indispensable? He cited one poll in which 3/4 of phone owners said they were never more than five feet away from their devices, while 12% admitted bringing their phones into the shower with them. That is an image I could have done without.)

You can actually learn more about a person by examining their phone, Roberts said, than you can in “the most exhaustive search” of a house.

“A phone not only contains in digital form many sensitive records previously found in the home; it also contains a broad array of private information never found in a home in any form,” he wrote — unless a smartphone is also found in the home.

Giving police officers access to a person’s apps — Roberts said the average user has 33 — gives them the ability to create “a revealing montage” of a subject’s life.

The court recognized that its ruling may impose a burden on law enforcement officers at the time of an arrest. But, as Roberts pointed out, technological advances cut both ways.

In some jurisdictions, he said, police officers can email warrant requests to judges’ iPads, and judges, for their part, have been known to sign warrants and email them back to officers in less than 15 minutes.

Not surprisingly, the ruling has prompted a great deal of speculation over what it could mean for pending lawsuits against the NSA. But if you were expecting that this ruling suggests the the Supreme Court if poised to rule against, say, the NSA collection of metadata you might be disappointed [7]:

Politico
SCOTUS cellphone ruling resonates in NSA fight

By JOSH GERSTEIN | 6/25/14 8:15 PM EDT

The Supreme Court’s blunt and unequivocal decision Wednesday giving Americans strong protection against arrest-related searches of their cell phones could also give a boost to lawsuits challenging the National Security Agency’s vast collection of phone call data.

Chief Justice John Roberts’s 28-page paean to digital privacy was like music to the ears of critics of the NSA’s metadata program, which sweeps up details on billions of calls and searches them for possible links to terrorist plots.

“This is a remarkably strong affirmation of privacy rights in a digital age,” said Marc Rotenberg of the Electronic Privacy Information Center. “The court found that digital data is different and that has constitutional significance, particularly in the realm of [the] Fourth Amendment…I think it also signals the end of the NSA program.”

For the NSA debate, the most significant idea in the court’s Wednesday opinion may be the notion that scale matters. Roberts and his colleagues soundly rejected arguments from the Obama administration that because police can search a few printed photographs found in someone’s wallet, officers were free to search thousands of images and the troves of other personal data contained on a typical smartphone.

“It’s very important that the court is recognizing that quantity matters,” said Georgia Tech professor Peter Swire, a privacy expert and member of a panel President Barack Obama set up to review the NSA’s call metadata program. “The court has said that quantity matters when it comes to the content of cell phones. And I believe the court will feel the same way when it comes to massive databases of telephone calls or computer communications.”

A former cybercrime prosecutor said the justices also seemed to recognize that scale of the collection not only gives the government more data, but also the ability to be much more intrusive than in earlier eras.

“The distinction here is more than just the capacity of the device to hold pictures,” said Alex Southwell, now with law firm Gibson, Dunn & Crutcher. “A cell phone is orders of magnitude different, not just in terms of numbers of items held but also in terms of the intrusiveness if searched. The mosaic of information available from seeing the whole of the data is transformative, just like the call records at issue in the NSA program.”

The Supreme Court’s ruling Wednesday in Riley v. California doesn’t say anything explicitly about the NSA’s metadata, nor did the justices mention national security concerns or intelligence gathering.

However, in one somewhat opaque footnote to Roberts’s majority opinion, the justices seem to be saying they are leaving the issue of bulk collection of data for another day. “These cases do not implicate the question whether [sic] the collection or inspection of aggregated digital information amounts to a search under other circumstances,” Roberts wrote.

Even if the justices were to deem the NSA program a warrantless search that goes well beyond tracing calls made on a specific phone line, that wouldn’t mean the terrorism-focused effort is unconstitutional. Instead, the court would have to consider whether the search is reasonable in light of the national security and public safety concerns involved — and justices are often extraordinary deferential to such arguments.

Analysts on both sides said the cell phone ruling is not a one-off, but seems to be part of a pattern of the court’s efforts to square privacy rights with the new challenges posed by emerging technology. Two years ago, in U.S. v. Jones, the justices rejected arguments that GPS tracking should not require a warrant because police have always been free to follow suspects around without getting one.

“What’s significant…is the justices, like the rest of us, are fully alive to the fact that technology is generating large quantities of data about us and putting it in places where it didn’t used to be,” Baker said.

President Barack Obama initially dismissed the privacy impact of the metadata program as “modest,” but in recent months he has acknowledged that it is troubling to many Americans. Earlier this year, he proposed shutting down the NSA program and replacing it with one in which telephone companies store the call information and make it readily available for the government to search. The president also implemented a procedure in which a judge approves most queries in advance, but the standard is lower than that for a search warrant.

The Obama administration has made much of safeguards it has imposed on the NSA program. However, the court’s cell phone search opinion suggests the justices might not find such self-regulation sufficient to address privacy concerns.

“The Government proposes that law enforcement agencies ‘develop protocols to address’ concerns raised by cloud computing,” the chief justice wrote. “Probably a good idea, but the Founders did not fight a revolution to gain the right to government agency protocols.”

As the article indicates, while it’s unclear how directly this ruling by the Supreme Court could impact rulings on bulk metadata collection, observers on all sides agree that this cell phone ruling “is not a one-off , but seems to be part of a pattern of the court’s efforts to square privacy rights with the new challenges posed by emerging technology“. And that’s good news because, at the end of the day, the only real solution to these increasingly difficult issues of balancing privacy and security in an ever changing technological landscape is a never ending cycle of court cases, legislation, and lots and lots of people spending time to really think thought the implications how we progress through the Information Age.

But as the article also highlights, it’s unclear from this ruling which way the court is leaning on the issue of bulk metadata collection because, as Chief Justice Roberts put it, “these cases do not implicate the question whether [sic] the collection or inspection of aggregated digital information amounts to a search under other circumstances,” while also asserting that “the Government proposes that law enforcement agencies ‘develop protocols to address’ concerns raised by cloud computing…Probably a good idea, but the Founders did not fight a revolution to gain the right to government agency protocols.“. What Chief Justice Roberts appears to be alluding to is the idea that addressing issues like this can’t be handled by self-regulations and protocols alone and that seems to suggest that Roberts is of the opinion that in order to balance the privacy and security (in a age where cell phones might hold more personal information about you than the contents of your home) we’re probably going to need a policy solutions and a technological solutions. And he’s quite right. When technology creates new legal conundrums, a look at changing the technology or changing how it’s used is clearly part of the solution.

What Would Snowden and the Cypherpunks Say?
But, of course, it’s also worth pointing out that simply saying “we need policy solutions and technology solutions” is a lot easier said than done. For instance, take Edward Snowden’s “policy + technology” solutions that he has consistently recommended to global audience. As Snowden puts it, we need policy solutions but we also need technology solutions like unbreakable end-to-end encryption and the use of systems like TOR to ensure that bulk data collection becomes impossible [8]:

The Inquirer
Edward Snowden wants easy to use encryption everywhere
Community must do more
By Dave Neal
Mon Mar 10 2014, 18:0

SURVEILLANCE WHISTLEBLOWER Edward Snowden has taken part in a video conversation at the South By Southwest (SXSW) conference and called for more accessible encryption tools.

The subject of the conversation, which was hosted by the American Civil Liberties Union, was whether communications are secure and if they can be trusted. They can, said Snowden, but only with some third party help and the use of end to end, machine to machine encryption.

The use of strong encryption is key and the panel agreed that Snowden’s revelations have improved the security landscape. The whistleblower said that technology companies need to help make encryption more accessible and less complex. “Encryption does work,” he said, calling it “the defence against the dark arts for the digital realm.”

Snowden said that the US National Security Agency (NSA) has created an “adversarial internet”. He added that while policy changes are needed, technological changes will be the most effective.

“[We must] craft solutions that are safe”, he said. “End to end encryption makes bulk surveillance impossible. There is more oversight, and they won’t be able to pitch exploits at every computer in the world without getting caught.”

As Snowden said, “End to end encryption makes bulk surveillance impossible. There is more oversight, and they won’t be able to pitch exploits at every computer in the world without getting caught.” So, if Snowden is correct, we can simply develop easy-to-use unbreakable encryption technology and bulk surveillance will be made impossible and therefore all surveillance will be forced to shift towards targeted surveillance where “there is more oversight”. No more bulk surveillance but still room for targeted surveillance. Problem solved, right?

Well, if the elimination of bulk data collection is something that society wants to prioritize then, yes, strong end-to-end encryption and the use of tools like TOR (because strong encryption still won’t actually hide all the metadata, you’d need something like TOR) would indeed force surveillance to become much more targeted. Assuming a spywarepocalypse [9] doesn’t take place.

But what about that targeted surveillance that Snowden claims to support? Will that still be possible once strong end-to-end encryption tools are made widely available? Well, here’s where it get messy in ways that Snowden and the Cypherpunks don’t like to talk about [10] and in ways that relate to the Supreme Court’s recent cellphone ruling: Once you have easy-to-use strong encryption tools that make communications unbreakable, it’s probably not going to take too long before similar tools (or the very same tools) are also used make the local files on your computer strongly encrypted too. That means that when there’s a legitimate law enforcement or national security need to view the contents of someone’s computer or smartphone, a warrant won’t be enough. The person under investigation is simply going to have to decrypt the software or hand over a password under threat of contempt of court. And when law enforcement has to rely on the person being investigated to provide access to incriminating evidence, it means we might be seeing a lot more 5th amendment stories like this [1]:

ExtremeTech
US Appeals court upholds Fifth Amendment right to not decrypt hard drives

By Joel Hruska on February 24, 2012 at 1:31 pm

The 11th Circuit Appeals Court has issued an important ruling on the question of whether or not a defendant can be forced to decrypt a hard drive when its contents could provide additional incriminating evidence. The case in question refers to the actions of a John Doe who was compelled to testify before a grand jury in exchange for immunity from prosecution. Doe was ordered to decrypt the contents of his laptop as part of that testimony, but was told that his immunity would not extend to the derivative use of such material as evidence against him. Doe refused to decrypt the TrueCrypt-locked drives, claiming that to do so would violate his Fifth Amendment right against self-incrimination.

Note that this case involves the use of TrueCrypt, one of the tools used by Snowden to encrypt his NSA documents that he strongly advocates [11] (before it mysteriously shut down [12] about a week before the Heartbleed revelations [13] ). Not only can TrueCrypt encrypt data in ways that the NSA can’t break, but it also allows you to create hidden volumes within your encrypted volumes [14] so if you are asked to hand over the password you can simply give the “fake” top-layer password that only decrypts the non-hidden folders.

Continuing…


The 11th Circuit’s ruling reverses the lower court’s decision [15] to hold Doe in contempt and affirms that forcing him to decrypt the drives would be unlawful. It also states that the district court erred in limiting the immunity it granted Doe to only apply to grand jury testimony and not the derivative use of the evidence in question. The ruling on misapplied immunity means that the 11th Circuit could’ve punted on the Fifth Amendment issue, but the court opted not to do so.

The applicability of the Fifth Amendment rests on the question of what the government knew and how it knew it. Federal prosecutors admitted at trial that while the amount of storage encrypted exceeded 5TB, there was no way to determine what data was on the hard drive — indeed, if there was any data whatsoever. Plaintiffs were reduced to holding up numerical printouts of encryption code that they said “represented” the data they wanted, but were forced to admit that there was no way to differentiate what might be illegal material vs. legal.

The question at hand is whether or not decrypting the contents of a laptop drive is testimony or simply the transfer of existent information. The court acknowledges that the drive’s files are not testimony of themselves, but writes “What is at issue is whether the act of production may have some testimonial quality sufficient to trigger Fifth Amendment protection when the production explicitly or implicitly conveys some statement of fact.” (emphasis original)

Previous court cases have established that merely compelling a physical act, such as requiring a defendant to provide the key to a safe, is not testimonial. Actions are also non-testimonial if the government can invoke the “foregone conclusion” doctrine by showing with “reasonable particularity” that it already knew that certain materials or content existed.

By decrypting the drives, Doe is admitting “his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.” The court dismisses the argument that the contents of Doe’s hard drives are a foregone conclusion, noting that “Nothing… reveals that the Government knew whether any files exist or the location of those files on the hard drives; what’s more, nothing in the record illustrates that the Government knew with reasonable particularity that Doe was even capable of accessing the encrypted portions of the drives.

“The Government has not shown, however, that the drives actually contain any files, nor has it shown which of the estimated twenty million files the drives are capable of holding may prove useful… we are not persuaded by the suggestion that simply because the devices were encrypted necessarily means that Doe was trying to hide something. Just as a vault is capable of storing mountains of incriminating documents, that alone does not mean that it contains incriminating documents, or anything at all.”

Not exactly carte blanche

The strength of this decision is the balance it strikes between the rights of the government and the individual. Rather than focusing on the nature of the pass phrase defendants are ordered to provide, it emphasizes the issue of what the prosecution knows and how it learned it. If the prosecutors had had sufficient data to indicate that illegal materials were pstored on Doe’s hard drives, forcing him to testify would’ve been valid under the foregone conclusion principle.

This decision doesn’t make it impossible for the government to use the contents of an encrypted drive, but it requires that the prosecution demonstrate a knowledge of the contents and data contained therein before being allowed to issue a blanket demand. It’s a fair call, and given the increasing number of similar cases, an important one.

There’s a lot to digest there: Ok, so it appears that “John Doe” was staying in a hotel room with an internet IP addressed that was caught accessing child porn over YouTube. But it wasn’t the only hotel room with that IP address so it couldn’t be specifically tied to his computer. The prosecutors offer him immunity for his testimony if he decrypts the TrueCrypt-encrypted files on his computer but they don’t offer him immunity for the “derivative use of such material as evidence against him”. So Doe refuses to decrypt the drive, citing the 5th amendment right against self incrimination. And 11th Circuit Appeals Court argued that:


By decrypting the drives, Doe is admitting “his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.

The court dismisses the argument that the contents of Doe’s hard drives are a foregone conclusion, noting that “Nothing… reveals that the Government knew whether any files exist or the location of those files on the hard drives; what’s more, nothing in the record illustrates that the Government knew with reasonable particularity that Doe was even capable of accessing the encrypted portions of the drives.

In other words, the 11th Circuit appeals court ruled that providing the decryption key is basically a testimony that says “yes, I have access to those files” and thus constitutes a self-incriminating testimony when the government couldn’t actually provide evidence that they knew any incriminating evidence was on the drive (since multiple hotel rooms shared the same IP). If this seems like a stretch, keep in mind that it’s entirely possible for someone to possess a computer or smartphone that contains encrypted files that someone else put there and controls.

Is Encryption Like a Strongbox or a Wall Safe? Who Cares? The Courts
Also keep in mind that the Supreme Court has yet to rule on this case or similar cases, so a very big Supreme Court ruling on forced decryption is just a matter of time [16]:

DuqCrim.com
Criminal Justice Program of Duqesne University School of Law

The catch 22 of forced decryption.
Posted by Frank Spinelli on May 7, 2014 at 7:14 AM

Should forced decryption of a hard drive be prohibited under the Fifth Amendment?

Some background: In cryptography, encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption has been around for a very long time, and has historically been used frequently during wartime.

Meanwhile, the Fifth Amendment states that no person, “shall be compelled in any criminal case to be a witness against himself.” The Fifth Amendment is designed to prevent the accused from being forced to divulge incriminating evidence from within his or her own mind, to be used against him or her self. A person may invoke the Fifth Amendment once three factor have been established: compulsion, a testimonial communication or act, and incrimination. The law also requires that the information sought still retain testimonial value, and consequently be worth being constitutionally protected. The information sought out cannot already be a forgone conclusion, which the Government already concretely knows, or has proven exists by independent means.

Compulsion, and incrimination are relatively straightforward where an accused is asked by a court to decrypt a hard drive.

The court is compelling the accused to divulge the contents that are encrypted in one of two ways. Firstly, by either decrypting the information by providing the password required to decrypt the information, enabling authorities to do just the same. Or, secondly, by providing the information sought, in a decrypted and intelligible form.

Incrimination merely refers to the fact that the information sought to be gained, and compelled to be revealed by the accused, is in fact incriminating.

The issue that is currently undecided is whether or not the act of production, or enabling the decrypting, is testimonial, and whether or not the testimonial status extends beyond the act of decrypting, to the actual contents revealed, or decrypted.l

The supreme court has yet to rule on this issue. The highest court to rule on the issue has provided some interesting insight regarding the issue. The Eleventh Circuit has held that an accused may not be forced to decrypt the files on an encrypted hard drive, due to the nature of encryption.

The court explained that whether an act is testimonial, and is covered by the protections of invoking the Fifth Amendment, or merely a compelled physical act, which remains unprotected by the Fifth amendment, can be best analogized to the difference between a strongbox and a wall safe. The court relied on previous Supreme Court decisions concerning the Fifth Amendment, pointing out that the forced production of a physical key to a strong box would not generally considered to be a testimonial act. Whereas, the forced production of a combination to a wall safe would be considered a protected testimonial communication or act, as it requires an accused to reveal a truth from within his or her mind. The revelation of which would lead to the production of incriminating evidence, from within the wall safe, or at least support a link in the chain of evidence, strengthening the case against the accused. Something that Fifth Amendment was specifically added to the bill of rights to protect against.

For example, in regards to the previously mentioned historical events, hypothetically, an accused person would be unable to invoke the Fifth Amendment in a case where a court issued a subpena forcing the production of an enigma machine to decrypt a file. This would be analogous to the physical key in the strongbox analogy, because the act of producing the enigma machine, would be requiring a physical act. However, if a court issued a subpoena forcing an accused person, fluent in Navajo and English, to reveal the contents of a file, written in Navajo, it would likely be considered to be a testimonial act, and protected under the invocation of the Fifth Amendment. The second subpoena requires the accused to reveal encrypted information by utilizing a mental skill, and essentially compel the production of encrypted, and incriminating evidence from within his or her mind.

Furthermore, because of the nature of encryption, the “foregone conclusion” doctrine is generally inapplicable to information sought, unless corroborated from other evidence, or non-encrypted data on the drive. This is simply because, as the court pointed out, until a hard drive is decrypted it is usually extremely difficult to tell what type of file, or files, if any, are being stored on a hard drive until it is decrypted. Consequently, it is generally not a “forgone conclusion,” since it is difficult to tell if an encrypted hard drive contains zero data, or is filled completely with encrypted data, as empty space and recorded data appear generally the same before decryption. The court therefore reasoned that the decrypted information should also be protected, not just the act of production of the password, but the decrypted data as well.

Consequently, a broader grant of immunity would have to be granted, one which extended the data eventually decrypted, not just the act of production, before a court may compel an accused to decrypt data.

The issue remains unclear for now in the other circuits, and most states, until the Supreme Court hears a case concerning this issue, and rules decisively on it.

“The issue remains unclear for now in the other circuits, and most states, until the Supreme Court hears a case concerning this issue, and rules decisively on it.” Yep, the issue does remain unclear. But if the Supreme Court is poised to issue a series of rulings on privacy-related issues it seems pretty likely that we’re going to see a ruling on this topic of forced decryption pretty soon because the growth in both the number and popularity of encryption tools means 5th amendment fights over forced decryption are only going become increasingly frequent. And that means the “Strongbox vs Wall safe” debate is going to become quite a hot topic because, as groups like the Cypherpunk-leaning Electronic Frontier Foundation [17] (EFF) and the ACLU argued last October, if you’re ever forced to decrypt your data it is clearly a “wall safe” and not a “strongbox” scenario and therefore you should get blanket immunity for anything found [2]:

Threatpost

EFF Makes Case That Fifth Amendment Protects Against Compelled Decryption
by Michael Mimoso
October 31, 2013 , 2:08 pm

With new leaks about the extent of U.S. government surveillance coming almost daily, one constant remains among all the deterrents to the NSA’s prying eyes: encryption technology works. As far as we know, the math behind encryption is solid, despite the specter of some unnamed breakthrough [18] made by the spy agency some years ago.

Tangentially, the government continues to try to make a case for the ability to force someone alleged to have committed a crime to decrypt their hard drives and turn over evidence. On a number of previous occasions, the courts have upheld Fifth Amendment protections against self-incrimination [19] in such cases.

In a case starting on Monday in Massachusetts Supreme Judicial Court, an appeal of a previous decision against Leon Gelfgatt, 49, of Marblehead, Mass., an attorney, was indicted in a mortgage fraud scam [20] in which he is alleged to have stolen more than $1.3 million. The government, in trying to make its case against Gelfgatt, tried to compel him to decrypt his hard drive. The judge in the case, however, denied the request saying that such an action would violate the Fifth Amendment.

Digital advocacy group the Electronic Frontier Foundation, along with the American Civil Liberties Union, filed an amicus brief [21] yesterday explaining the Fifth Amendment privilege against self-incrimination prohibits compelled decryption. Hanni Fakhoury, staff attorney with the EFF, wrote in a blogpost [22] that the Fifth Amendment protects an individual from unveiling the “contents of his mind” and that the government through this action would be learning new facts in the case beyond the encryption key.

“By forcing Gelfgatt to translate the encrypted data it cannot read into a readable format, it would be learning what the unencrypted data was (and whether any data existed),” Fakhoury wrote. “Plus, the government would learn perhaps the most crucial of facts: that Gelfgatt had access to and dominion and control of files on the devices.”

The government’s argument is that the decryption is akin to providing the combination to unlock a safe, rather than compelling the production of decrypted files.

“That assertion is incorrect,” the brief says. “Just as encrypting a drive encrypts each and every one of its files, decrypting the drive makes available copies of all of its files.” The contention is that because the data is transformed and scrambled, decryption is more than a key, safe combination or password, the brief said.

“In the surveillance environment, the need for encryption is especially strong because it often seems that strong technology is our last refuge from the government’s prying eyes,” Fakhoury said. “We’ve seen in all the leaks the government’s effort to undermine web encryption and so we must make sure they can’t undermine the physical device encryption here.”

So in this case involving $1.3 million stolen through mortgage fraud, the government tried to compel the defendant to decrypt his data by arguing that decryption is analogous to a handing over a key to a strongbox. But the EFF and ACLU assert the opposite [19], that decryption is an act of revealing a piece of your inner mind and therefore protected by the 5th Amendment. So when the Supreme Court eventually rules in this topic, THAT’s one of the key legal distinctions it’s going to have to resolve: Is encryption like a strongbox or a wall safe? Welcome to the fun world of unbreakable encryption and legal right.

The Massachusetts Supreme Court Ruled on that $1.3 million mortgage fraud case just days ago. In that instance, the court found, the government could compel decryption. Why? Well, basically because the person under investigation told the police that he could indeed decrypt the data, but he won’t. So, in this case, court ordered forced decryption was deemed constitution. But that’s just for Massachusetts. Until the US Supreme Court rules on this topic, the constitutionality of forced decryption will depend on not only your legal circumstances, but also your locale [23]:

Ars technica
Massachusetts high court orders suspect to decrypt his computers
Suspect told cops: “Everything is encrypted and no one is going to get to it.”

by Cyrus Farivar – June 25 2014, 7:00pm CST

Massachusetts’ top court ruled, in a 5-2 decision [24] on Wednesday, that a criminal suspect can be ordered to decrypt his seized computer.

The Massachusetts Supreme Judicial Court (MSJC) ruling only applies to the state. Various other courts at the state and federal level have disagreed as to whether being forced to type in a decryption password is a violation of the Fifth Amendment right to protect against self-incrimination and its state equivalents (such as Article Twelve of the Massachusetts Declaration of Rights). For example, more than two years ago, the 11th Circuit Court of ruled [25] ruled that a defendant was not obliged to decrypt his hard drive, as doing so would violate his Fifth Amendment rights. However, that ruling only took effect in the 11th Circuit, which covers parts of the southeastern United States. Just last year, a federal judge refused [26] to force a Wisconsin child pornography suspect to decrypt his laptop. Overall, cases involving decryption are still relatively new [27] and rare. The first known one only dates back to 2007 [28].

Privacy advocates lamented the MSJC’s new ruling, disagreeing with the court’s judgment that an exception to the Fifth Amendment rule, such as a “foregone conclusion,” applies here.

“The defendant is only telling the government what it already knows”

horities that he was able to decrypt his computers but would not do so.

As the MSJC ruled [29]:

During his postarrest interview with State police Trooper Patrick M. Johnson, the defendant stated that he had performed real estate work for Baylor Holdings, which he understood to be a financial services company. He explained that his communications with this company, which purportedly was owned by Russian individuals, were highly encrypted because, according to the defendant, “[that] is how Russians do business.” The defendant informed Trooper Johnson that he had more than one computer at his home, that the program for communicating with Baylor Holdings was installed on a laptop, and that “[e]verything is encrypted and no one is going to get to it.” The defendant acknowledged that he was able to perform decryption. Further, and most significantly, the defendant said that because of encryption, the police were “not going to get to any of [his] computers,” thereby implying that all of them were encrypted.

When considering the entirety of the defendant’s interview with Trooper Johnson, it is apparent that the defendant was engaged in real estate transactions involving Baylor Holdings, that he used his computers to allegedly communicate with its purported owners, that the information on all of his computers pertaining to these transactions was encrypted, and that he had the ability to decrypt the files and documents. The facts that would be conveyed by the defendant through his act of decryption—his ownership and control of the computers and their contents, knowledge of the fact of encryption, and knowledge of the encryption key—already are known to the government and, thus, are a “foregone conclusion.” The Commonwealth’s motion to compel decryption does not violate the defendant’s rights under the Fifth Amendment because the defendant is only telling the government what it already knows.

A step back for privacy

Because Gelfgatt already admitted to police that he owned and controlled the seized computers and had the ability to decrypt them, the court found that the act of decryption would not reveal anything new to the police. Therefore, the act of compelled decryption was not “testimonial [30].” Normally, the Fifth Amendment privilege prevents the government from forcing a witness to disclose incriminating information in his mind (like a password not written down anywhere else)—but only if that is information the police do not already know.

Jessie Rossman [31], an attorney with the American Civil Liberties Union of Massachusetts, told Ars that her organization is “disappointed in the decision.”

“For example, an individual can be forced to hand over a key to a locked safe if the government already knows that’s your safe—the documents in there have already been created,” she said.

“Your opening that safe, the documents are already there. That’s not new testimonial. But encrypted data needs to be transformed into something new when decrypted. A number of encrypted technology works such that when you look at [a hard drive] you can’t even tell what is empty space or what is not empty space. When you decrypt that computer it’s creating something new and if you didn’t have any knowledge, the act of decrypting tells you something you didn’t know beforehand. We believe that the Fifth Amendment and Article 12 needs to protect not only the act of entering a code but the act of producing decrypted files to the government.”

Fred Cate [32], a law professor at Indiana University, told Ars that this ruling could come with an unfortunate consequence. If someone admits to owning a computer and asserts that they possess the password, “its only likely effect is to encourage future defendants to be less forthcoming with police.”

“This seems to be an issue likely to head to the Supreme Court where, despitetoday’s sweeping 9-0 victory for privacy [33] involving searches of cellphones, the outcome is not at all certain,” he added. “Historically, the high court has taken a dim view of efforts to expand the Fifth Amendment privilege against self-incrimination or to apply it in novel ways. In the meantime, we should expect to see both federal and state courts continuing to reach divergent results when faced with this important question.”

As suggested at the end, “this seems to be an issue likely to head to the Supreme Court where, despitetoday’s sweeping 9-0 victory for privacy [33] involving searches of cellphones, the outcome is not at all certain.” Should that uncertainty be surprising? Well, we aren’t just looking at the emergence of a new technological phenomena (pocket-sized computers) requiring a review of 4th amendment right. We’re really looking at the intersection of two intertwined technologies. Until the last decade or so, you didn’t have people carrying around a home’s worth of personally revealing (and potentially incriminating) information in your pocket. And yet, as the article points out, pre-2007 [34] we didn’t really see cases involve court-forced decryption where [28] which is to be expected since strong encryption is notoriously non-user-friendly. And the Supreme Court’s recent ruling on the 4th Amendment didn’t really address the issue of forced decryption at all, so yes, quite a bit of uncertainty should be probably be expected in the area.

At the same time, notice the overwhelmingly negative responses to this Massachusetts Supreme Court ruling by groups like the ACLU and EFF even when the defendant basically tells the police that, yes, the encrypted drives are his and, yes, he can decrypt them. So one thing we can probably be pretty sure of is that this issue is going to be contentious for a long long time and the debate over forced encryption is only going to grow. In situations like this where there isn’t a clear ‘right’ and ‘wrong’ but instead a difficult balancing of priorities, a drawn out fight is pretty much guaranteed.

So get ready for more Supreme Court rulings on these topics. But also get ready for more confusing debates over “what did the government know and when did they know it” and a far more detailed examination of the distinctions between strongboxes and wall safes than you ever expected to endure. Is decryption “an act of production” warranting 5th Amendment protections or just “a physical act”? We’ll find out!

But the fact that these strangely nuanced legal distinction have to be made in the first place is actually a great example of the system working. Life is complex and the law should reflect that complexity. And as technology progresses those complexities are only going to grow so this is the kind of legal morass that we should be somewhat pleased to see emerging. That legal morass is a reflection of a reality morass and it has to be tackled. Tackled over and over as technology changes. But that legal morass is also a strong reminder that the privacy, security, and ever-changing technology is far more complex than the version of reality presented by Edward Snowden and his allies like the EFF.

Much of the accolades given to the Supreme Court’s recent ruling is about how it formalized a recognition that the scale of technology can qualitatively change its nature and necessitate a legal rebalancing of privacy and security. The simple cellphones of yesteryear are quite different from the smartphones of today. As the Supreme Court put it, searching someone’s cellphone might be more informative than searching their home. That’s an important recognition because if technology suddenly allows us all to walk around with a home’s worth of personal information in our pockets we probably don’t want to allow full access to that when someone is simply under arrest. But as we saw with tools like TrueCrypt, if our smartphones are homes, they’re increasingly homes that cannot be entered at all by law enforcement without the permission of the home owner regardless of circumstance because it will be mathematically impossible (and maybe physically impossible [35] someday).

If a court issues a warrant to allow a search of your home, someone is going to search your home whether want to let them in or not. Physically impenetrable homes aren’t physically possible. But impenetrable smartphones via encryption, on the other hand, are now being aggressively developed and promoted (by Germany) in the post-Snowden era for use by the masses [36] (although they’ll still presumably be hackable by the BND [37] or whichever government sponsors them).

Sure, you can still be sent to jail for contempt of court if you refuse to comply with a valid court order to decrypt, but that just means that the jail time for contempt of court could now suddenly become a much more available legal option in a growing number of cases for people facing far more serious crimes. And don’t forget that people can be assigned the role of the data mule or data ‘fall guy’ in a larger criminal organization. That might be a lot easier to do going forward. We should still prioritize protecting our 4th Amendment rights, but we should also recognize the new real costs that arise when protecting them as we’re forced to adapt those legal protecting to changing technological landscapes. Strong encryption is an incredibly useful tool, for good or ill. And that means strong encryption is going to lead to new costs in protecting those rights at the same time that it’s being used in helpful ways. It is what it is.

Beware of Libertarians Bearing Non-Solutions
So let’s be relieved that the Supreme Court is intent on tacking the increasingly complex issues surrounding privacy, security, and technology because the legal ambiguity on these issues is only going to grow. Unbreakable encryption is just a matter of time because it already exists. Edward Snowden may have dramatically accelerated strong encryption’s adoption, but it was just a matter of time before some encryption “killer app” brought strong encryption for both data transmissions and local data storage to the masses. These super-encryption tools were already growing in popularity long before Snowden came along and turned the global focus onto them. Some sort of legal clarity was going to be necessary sooner or later.

And let’s also be relieved that the recent 4th amendment ruling signifies that the Supreme Court justices are keenly aware that changes in the scope and capacity of technology can necessitates significant rethinking in how society establishes the rules and safeguards for both the technology itself and that ever-changing technology interfaces with our never-changing human situation of all having to live together under uniform set of laws. It was a great ruling on the 4th that was overdue.

But with tools like TrueCrypt and Tor becoming increasingly popular, let’s not be relieved about the fact that folks like Edward Snowden, Julian Assange, Jacob Appelbaum, and the rest of Cypherpunk/Cyberlibertarian movement have largely seized control of the international debates over these issues. Balancing privacy, security, and technology is tough enough as is and it’s only going to get more and more complicated. That’s why you don’t want extremist ideologies dominating the debate. The Cypherpunks make many valid points when highlighting the dangers of a creeping technology-enabled surveillance states (it’s not hard). But Snowden and the Cypherpunks also casually dismiss or ignore the darker implications of the solutions they suggest [38].

If society wants to go down the path of adopting ubiquitous unbreakable encryption and tools that allow for layers and layers of “hidden volumes” along with generous 5th Amendments interpretations that give blanket immunity for forced decryption, well, ok, society should have the right to go down that path. And it might even be the best path overall. We’ll find out because it’s kind of inevitable that super encryption goes mainstream. But we should at least be trying to predict the negative implications that come with going down that path and you don’t see any real attempts to do that by the movements that are currently dominating the global debate. That’s precarious.

It’s true that Edward Snowden and the Cypherpunks says things like “not all spying is bad [39]” and things like “we need both policy solutions and technical solution”, but that’s about it. The rest of what he’s been advocating is largely a Cyperpunk agenda that makes policy solutions moot. Let’s take another quick look at Snowden’s suggestions at the SXSW festival [40]:

Wired
Edward Snowden Urges SXSW Crowd to Thwart NSA With Technology

By Kim Zetter
03.10.14 |
3:48 pm

With lawmakers slow to pass legislation curbing NSA surveillance, it’s up to the technology community to step in and devise solutions that will better protect online communications from snoops, said Edward Snowden, speaking today from Moscow at the South by Southwest conference in Austin.

“[T]he people who are in the room at Austin right now, they’re the folks who can really fix things, who can enforce our rights for technical standards even when Congress hasn’t yet gotten to the point of creating legislation that protect our rights in the same manner…,” he said. “There’s a policy response that needs to occur, but there’s also a technical response that needs to occur. And it’s the makers, the thinkers, the developing community that can really craft those solutions to make sure we’re safe.”

The massive surveillance being done by the NSA and other governments has created “an adversarial internet,” he said, “a sort of a global free-fire zone for governments, that’s nothing that we ever asked [for]; it’s not what we wanted. It’s something we need to protect against….

“[T]hey’re setting fire to the future of the internet. And the people who are in this room now, you guys are all the firefighters. And we need you to help us fix this.”

One solution he highlighted, that would make it more difficult for the U.S. and other governments to conduct passive surveillance, is the implementation of end-to-end encryption that would protect communications from user to user, rather than as it’s currently done by Google and other services, which only encrypt the communication from user to service, leaving it vulnerable to collection from the service provider.

“End-to-end encryption … makes mass surveillance impossible at the network level,” he says, and provides a more constitutionally protected model of surveillance, because it forces the government to target the endpoints — the individual users — through hacking, rather than conduct mass collection.

End-to-end encryption … makes mass surveillance impossible at the network level,” he says, and provides a more constitutionally protected model of surveillance, because it forces the government to target the endpoints — the individual users — through hacking, rather than conduct mass collection.

That’s the claim made over and over by Snowden: if we just all implement end-to-end strong encryption than the government will just target individual users “through hacking”. So it will be harder for the government to spy on individuals, but not impossible. But as we’ve seen, there’s really no way to “hack” strongly-encrypted locally stored data. Especially if it’s in a hidden volume that can’t be detected. And then there’s the fact that much of Snowden’s leaks have revealed have been targeted surveillance methods [41].

Snowden’s words have enormous influence on these topics and, unfortunately, that means the global policy debate that needs to emerge in response to ubiquitous super encryption technology is starting off in a warped manner. We get endless debates over whether or not metadata collection helps stop ‘terror’ and yet, as we also saw above, it wasn’t terrorism that people were using strong encryption to carry out. It was everyday crimes. This isn’t just about terrorism and the abuse of government power.

So we really have to keep asking ourselves if the anti-NSA backlash is going to used by folks with a libertarian agenda to weaken the government in ways that go far beyond bulk surveillance [42]. If we accept the the libertarian assumption that government simply can’t work, the kind of balance eventually struck on issues like the 4th and 5th amendments may results in the kind of society where things like legitimate law enforcement increasingly can’t work too. Is that part of the agenda? It sure would fit the current anti-government fever [43] afflicting an increasingly far-right GOP. Just imagine the kinds of corporate abuses that could be enabled with end-to-end encryption, “hidden volumes”, and the kind of 5th Amendment interpretation that basically views any forced decryption as a violation of the 5th Amendment.

These lurking dangers are one of the reasons why the Supreme Court’s 4th Amendment ruling was great but it was also only part of the overall solution to balancing privacy and security in this currently technological environment. Now that strong encryption for the masses is becoming a reality, a 5th Amendment ruling on forced decryption is going to be needed too before we can really assess to the new legal landscape. And as we saw above, that’s not an easy or obvious ruling…not nearly as easy as this 4th amendment case. In fact, it looks pretty difficult. Is encryption like a strongbox or wall safe? What a strange concept to have legal immunity hinge upon.

But another reason we need to be on guard against an anti-NSA backlash morphing into an attack on the legitimacy of government is because the ‘Little Brother’ surveillance state that everyone wants to live in – and it’s not just libertarians desire that [44] – might require a ‘Big Helpful Brother’ government for fixing the kinds of big problems that don’t get fixed on their own or by “the market” or charity. And that means *gasp* building a government you can trust and that’s empowered to get things done! Not the libertarian vision of a government that you can trust because it’s been systematically disempowered, but a real democratically elected government that doesn’t accept poverty or oppression in any form and doesn’t simply wait for the private sector to fix those problems.

We can’t rely on technology as shield against bad policy or bad governments. If we’re going to get serious about addressing the weird and ever more exotic threats facing for society one of the most powerful tools for protecting our privacy is, quite simply, a highly competent society. Competent in the sense that it’s a society that is actively engaged in learning about the threats around it, emerging and existing threats, while also being sane enough to deal with these threats in a manner that doesn’t lead to some sort of nightmare situation. That’s how we protect our privacy most effectively: by identifying and solving the kinds of openly visible problems like poverty and oppression that encourage individuals to secretly engage in terrorism or harmful crimes. There’s simply going to be less danger to look out for the more we make a better world.

But we’re not going to be able to build that competent society capable of helping if the only governments we can trust are those without the power to harm. Government, it turns out, is a lot like technology: Governments with the power to help can also hurt, just like technology. Powerful government aren’t inherently a “good” or “bad” thing, as the libertarians assert. It depends on how you use it. If you have a weak government, it may not directly harm you but it’s not going to help either. Just like technology. This is why ensuring that we don’t protect our rights at the expense of a competent helpful government is going to be increasingly important and challenging going forward. The simple fact that few entities are more empowered by technology than a government creates impulse to disempower government as a form of civic self-defense. And that impulse is only going to grow with each technological advanced that enhances that power. How we strike that balance between privacy and security without turning governments into either a beast or a worthless joke isn’t obvious. Maybe empowering criminals with super encryption tools and 5th Amendment rights is a reasonable price to pay to avoid the costs associated it government abuse? Or maybe it’ll foster a crime explosion? Maybe both. No matter which path is chosen we’ll see the consequences. Eventually. But we’re not going to see all of the other optional paths forward if the Cypherpunk [45]/Libertarian perspective continues to be dominant perspective on these kinds of issues.

Enough With the Insane Insanity. Sane Insanity is Required
To some extent, if we really want to get serious about grappling with these mutually contradictory issues we, by definition, need to go somewhat insane in terms of our worldview. Insane in the sense that we really do need to hold multiple, mutually contradictory ideas in our minds simultaneously in order to grapple with them individually. Sane insanity. In other words, you can’t simply be a “privacy advocate” without being a “security advocate”. Privacy and security are intertwined because our lives our intertwined. I have to care about your security too if I really want to protect my privacy and vice versa.

But you also can’t achieve that intertwined state by simply defining “privacy=security”, as we often hear from folks like Snowden or Assange. That just doesn’t make sense when “privacy” includes super encryption and “hidden volumes” and legal regimes that can potentially provide an incredible shield against legitimate law enforcement or national security tasks. At the same time, because reality is somewhat insane we can’t kid ourselves about the incredible dangers that could potentially arise from technologically enabled mass surveillance, especially crypto-mass surveillance (the Panopticon [46]). Sane insanity is needed on a variety of topics and that need is only going to grow.

Terrified of a government with the power to track us all? Great. It’s a healthy sense of terror. Governments can become criminal. But also be terrified of a government that can’t really track or prosecute criminals, even when it’s important. So embrace the cognitive dissonance that comes with these issues. Embracing the technology-enhanced cognitive dissonance and lack of easy and obvious answers is the answer. That’s how the kinds of long-term solutions we need are going to be found and it’s a lot better than the alternative [47].