We are cautioned to create undecipherable passwords and pin numbers to protect our privacy, identity and property. On the flip side, these protections may be put to the test in a criminal investigation.
Until recently, the Fifth Amendment provided guidance in responding to demands for keys to lock boxes and combinations for safes. Now suspects are being asked to disclose information that will access computer hard drives and open encrypted files. How far will the Constitution protect the right against self-incrimination in light of increasingly sophisticated means of securing computer contents?
Secret writing is as old as writing itself, underscoring the longstanding interest in the privacy of communications and records. Even those early Americans who conceived and ratified the constitutional protection against self-incrimination lived through an era of ciphers and codes spawned by the Revolutionary War.
Now, the steady evolution of electronic privacy measures is leading us into new territory and new interpretations of that constitutional protection.
In Doe v. United States, 1 the U.S. Supreme Court decided that a grand jury subpoena compelling petitioner to sign a dozen bank disclosure forms for any records of accounts in three different institutions did not violate the Fifth Amendment. Although conceding “acts that imply assertions of facts” are testimonial, Justice Harry Blackmun concluded that the forms were not communicative since they did not refer to specific accounts, confirm their existence or demonstrate control by petitioner, in other words, no authentication.
The Court also pointed out that the consent form did not represent the contents of petitioner’s mind. They analogized the disclosure document to a key used to open a strongbox as opposed to a combination to a wall safe.
The wall safe has been the classic repository of people’s most private and treasured assets and documents. And as the forerunner to the password protected hard drive, it offers a glimpse of where lines might be drawn in assigning the Fifth Amendment privilege.
In 2000, Alcohol, Tobacco and Firearms agents executed a search warrant for firearms at the home of Gary Green in Kerriville, Texas. 2 Although mirandized, they did not permit Green to contact his lawyer. Answering the agents’ questions about the existence of weapons in his home, Green told them about a locked metal brief case and a safe, both of which he opened at their request.
The agents’ custodial questioning of Green without permitting him to speak with counsel violated his right against self-incrimination. More importantly, revealing the locations of the weapons in locked containers and the acts of opening the combinations were found to be testimonial, as envisioned by the Supreme Court in Doe.
More frequently, targets of investigations are being asked to reveal computer passwords. While digital evidence may have been unfathomable to the authors of the Fifth Amendment, encryption was not. And over time, the courts have had to update their understanding of the self-incrimination doctrine in the light of new scenarios and technologies.
When Sebastien Boucher was arrested on federal pornography charges, government agents took his laptop, which they believe contained “relevant files” that turned out to be password-protected and inaccessible. 3 A grand jury issued a subpoena to compel Boucher to disclose the password, to which he responded with a motion to quash on Fifth Amendment grounds.
The investigation stemmed from a border search of Boucher’s computer, during which an officer accessed the contents without a password discovering thousands of images. Some of the files “appeared” to contain pornography based on their names.
Boucher claimed that many of these images were unwittingly downloaded from news groups, which he deleted when he became aware of them. A more experienced agent now involved in the case asked Boucher to show him the news group files located on the computer’s Z drive. Here the agent found more files of interest. Based on this discovery, the laptop was seized and shutdown, followed by Boucher’s formal arrest.
When the laptop was restarted, the files on the Z drive could not be opened. It was protected by Pretty Good Privacy (PGP) encryption software. According to the government, it was “nearly impossible” to access these files without a password. An automated system for breaking passwords might take years to find the right combination. This roadblock led to the grand jury subpoena.
The grand jury asked for any documents containing passwords associated with the laptop. The government generously offered to allow Boucher to enter the password without observation. The “action” immunity proposal was rejected by the defendant who continued to oppose disclosure on self-incrimination grounds.
The Fifth Amendment protects communications that are compelled, testimonial and incriminating in nature. 4 The testimonial character of the password was the only point of contention.
The judge concluded that revealing the password was the same as turning over the contents of the laptop. It was an act of production that became testimonial. Giving up the password would establish or confirm that the files existed, were within defendant’s possession or control (custody), and authentic. The grand jury’s subpoena put Boucher in the dicey position of potentially implicating himself, committing perjury or being held in contempt.
At the heart of the judge’s reasoning was the idea that the computer safeguard selected was a product of the mind. Revealing the actual combination of letters and numbers or entering them without being viewed would have shown knowledge of a password tethered to the sought after files.
And it was not a “foregone conclusion” that the prosecution would have accessed the specific, targeted materials without Boucher’s cooperation. 5 His password would have allowed the government to go on a fishing expedition among all the files on the Z drive, known and unknown, forging a vital incriminating link in the chain of evidence.
The Body Electric
The testimonial nature of an alphanumeric password under the Fifth Amendment has been made clear, 6 but computer security has evolved beyond conventional passwords.
From keys and combination locks to PIN numbers and encryption codes we are moving toward more complex and intimate forms of security.
Unlocking the contents of a laptop may mean surrendering a fingerprint. Still, physical identifying characteristics are not testimonial or communicative until their acquisition becomes too intrusive. As Justice William J. Brennan in Schmerber noted, “fingerprinting, photographing, or measurements, to write or speak for identification, to appear in court, to stand, to assume a stance, to walk, or to make a particular gesture,” are typically unprotected by the Fifth Amendment. 7 However, as the purpose changes so does the analysis.
The Court in Schmerber concluded: “blood test evidence, although an incriminating product of compulsion, was neither petitioner’s testimony nor evidence relating to some communicative act or writing by the petitioner, it was not inadmissible on privilege grounds.” The same rationale applied to fingerprints and other bodily and behavioral indicia.
A fingerprint taken for identification purposes is not testimonial, albeit incriminating evidence. On the other hand, if that same fingerprint was required to unlock a laptop, fulfilling the role of a conventional password or something more, then it might constitute a communication.
For example, a handwriting exemplar such as a signature becomes testimonial when it is germane to the crime. In United States v. Mara, a Fourth Amendment case, the Court noted in an aside: “If the Government should seek more than the physical characteristics of the witness’ handwriting – if, for example, it should seek to obtain written answers to incriminating questions or a signature on an incriminating statement – then, of course, the witness could assert his Fifth Amendment privilege against compulsory self-incrimination.” 8
Something as basic as who accessed a computer at a given moment, as important in some cases as revealing the contents of files, can be determined through biometric software. In a recent divorce matter where the husband accused the wife (or her agent) of planting pornographic images on his computer, an expert testified that “there was no way of knowing who was actually logged on a computer at a particular date or time unless the computer is biometric capable.” 9
A biometric measure can authenticate access to a computer’s contents and disclose the history of its use to a greater degree than a common password. It can be argued that fingerprints and other physical measures implicitly communicate, supplying the missing testimonial element of the Fifth Amendment trilogy.
The best description of the incipient fusion of traditional passwords and biometrics comes from the title of a 1997 article that appeared in Wired magazine, “The Body as Password.” 10 The article went on to explain that scanners map and digitize the geometry of a finger or an eyeball translating them into strings of characters that can be read by another machine, which compares it with information on file. Biometrics is merely another form of password generator.
The choice to use a physical characteristic to secure access to private information is as much an expression of the mind as the selection of random numbers and letters. Would it make a difference under the Fifth Amendment if the password were created by a computer program rather than conceived by a human brain? Or stored in the digital interpretation of a body part? It is the conscious choice to use a personal, biometric method for protecting and encrypting information that is important.
In Fisher v. United States, 11 Justice Brennan, in a separate opinion addressing the implicit authentication rationale, pointed out that “[a]n individual’s books and papers are generally little more than an extension of his person.” Now that passwords can literally be an “extension” of a person’s body or behavior, it follows that the source of their content deserves protection.
We live in a time when biometric identifiers have been transformed into the means for acknowledging the existence, control, possession and authentication of computer files. As passwords shift from randomly chosen letters and numbers to “pieces of ourselves,” we must be mindful that protecting “personal privacy” has always been a key purpose of the Fifth Amendment.
And when brain scans and functional MRIs are adapted to biometric security, we will have come full circle. A password whether drawn from our brains or our palms is still a password. And the choice of method is an expression of the “contents of the mind.”
Ken Strutin is director of legal information services at the New York State Defenders Association.
1. 487 U.S. 201, 209-210 (1988).
2. United States v. Green, 272 F.3d 748 (5th Cir. 2001).
3. In re Grand Jury Subpoena (Boucher), 2007 U.S. Dist. LEXIS 87951 (D. Vt. Nov. 29, 2007).
4. Fisher v. United States, 425 U.S. 391 (1976).
5. See, e.g., United States v. Pearson, 2006 U.S. Dist. LEXIS 32982 (NDNY, May 24, 2006) (hearing ordered to determine if computer files can be authenticated without password.)
6. See generally Aaron M. Clemens, “No Computer Exception to the Constitution: The Fifth Amendment Prevents Compelled Production of an Encrypted Document or Private Key,” 2004 UCLA J.L. & Tech. 2 (2004).
7. Schmerber v. California, 384 U.S. 757, 764 (1966).
8. 410 U.S. 19, 22 (1973).
9. Tauck v. Tauck, 2007 Conn. Super. LEXIS 2618 (Conn. Super. Ct. Sept. 21, 2007).
10. Wired, No. 5.07, July 1997, http://www.wired.com/wired/archive/5.07/biometrics.html.
11. 425 U.S. at 420.